From owner-freebsd-ipfw@FreeBSD.ORG  Tue Dec 25 14:58:13 2012
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 0DAC0C8E
 for <freebsd-ipfw@freebsd.org>; Tue, 25 Dec 2012 14:58:13 +0000 (UTC)
 (envelope-from fabian@wenks.ch)
Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 8C0DF8FC0A
 for <freebsd-ipfw@freebsd.org>; Tue, 25 Dec 2012 14:58:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at home4u.ch
Received: from flashback.wenks.ch (fabian@flashback.wenks.ch
 [IPv6:2001:8a8:1005:1:223:dfff:fedf:13c9]) (authenticated bits=0)
 by batman.home4u.ch (8.14.4/8.14.4) with ESMTP id qBPEw9gL066465
 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
 for <freebsd-ipfw@freebsd.org>; Tue, 25 Dec 2012 15:58:09 +0100 (CET)
 (envelope-from fabian@wenks.ch)
Message-ID: <50D9BF00.7050507@wenks.ch>
Date: Tue, 25 Dec 2012 15:58:08 +0100
From: Fabian Wenk <fabian@wenks.ch>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Subject: IPv6 addresses in tables not always working
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Dec 2012 14:58:13 -0000

Hello

To test tables with IPv6 for use with fail2ban (see thread "IPv6 
Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) 
system. Not all possible rules with tables which include IPv6 
addresses seem to work.

   [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087

For fail2ban it will both be possible, using mixed tables with 
IPv4 and IPv6 addresses and separate tables with only IPv4 or 
IPv6 addresses. So I tried a few variants.

First I created 3 different tables (IPv4 only, IPv6 only, IPv4 
and IPv6 mixed), this worked so far:

root@freebsd9:~ # ipfw table 4 add 62.12.173.3
root@freebsd9:~ # ipfw table 4 add 62.2.85.180
root@freebsd9:~ # ipfw table 4 add 62.2.85.186
root@freebsd9:~ # ipfw table 4 list
62.2.85.180/32 0
62.2.85.186/32 0
62.12.173.3/32 0
root@freebsd9:~ #

root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:1::3
root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:2::180
root@freebsd9:~ # ipfw table 6 add 2001:8a8:1005:2::186
root@freebsd9:~ # ipfw table 6 list
2001:8a8:1005:1::3/128 0
2001:8a8:1005:2::180/128 0
2001:8a8:1005:2::186/128 0
root@freebsd9:~ #

root@freebsd9:~ # ipfw table 46 add 62.12.173.3
root@freebsd9:~ # ipfw table 46 add 62.2.85.180
root@freebsd9:~ # ipfw table 46 add 62.2.85.186
root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:1::3
root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:2::180
root@freebsd9:~ # ipfw table 46 add 2001:8a8:1005:2::186
root@freebsd9:~ # ipfw table 46 list
62.2.85.180/32 0
62.2.85.186/32 0
62.12.173.3/32 0
2001:8a8:1005:1::3/128 0
2001:8a8:1005:2::180/128 0
2001:8a8:1005:2::186/128 0
root@freebsd9:~ #

Then I created a few basic rules for testing, which also worked 
(I did shorten the hostname prompt to avoid line wrap):

f9:~ # ipfw add 1 unreach port tcp from table\(4\) to me 22 in
00001 unreach port tcp from table(4) to me dst-port 22 in
f9:~ # ipfw add 2 unreach6 port tcp from table\(6\) to me6 22 in
00002 unreach6 port tcp from table(6) to me6 dst-port 22 in
f9:~ # ipfw add 3 unreach port tcp from table\(46\) to me 22 in
00003 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

root@freebsd9:~ # ipfw show | head -3
00001  0  0 unreach port tcp from table(4) to me dst-port 22 in
00002  0  0 unreach6 port tcp from table(6) to me6 dst-port 22 in
00003  0  0 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

Then I did some testing from the remote system (the IP addresses 
in the tables). With IPv4 it is blocked right away with a 
connection refused, with IPv6 it takes 25 seconds and it tried to 
send much more packets. The destination systems (freebsd9) has 2 
IP addresses each. When I also test with telnet, it tries and 
shows to connect to both address, but with similar timeouts then 
with ssh below:

fabian@superman:~ $ time ssh -4 freebsd9
ssh: connect to host freebsd9.wenks.ch port 22: Connection refused

real    0m0.015s
user    0m0.002s
sys     0m0.008s
fabian@superman:~ $

fabian@superman:~ $ time ssh -6 freebsd9
ssh: connect to host freebsd9.wenks.ch port 22: Connection refused

real    0m25.212s
user    0m0.005s
sys     0m0.006s
fabian@superman:~ $

root@freebsd9:~ # ipfw show | head -3
00001  2 120 unreach port tcp from table(4) to me dst-port 22 in
00002 10 752 unreach6 port tcp from table(6) to me6 dst-port 22 in
00003  0   0 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

Then I deleted the IPv4 and IPv6 only rules to only test with the 
mixed IPv4 and IPv6 table(46):

root@freebsd9:~ # ipfw delete 1 2
root@freebsd9:~ # ipfw show | head -1
00003  0   0 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

And again testing from the remote system, the timeouts are still 
with the same difference for IPv4 and IPv6, but the message for 
IPv6 is now different:

fabian@superman:~ $ time ssh -4 freebsd9
ssh: connect to host freebsd9.wenks.ch port 22: Connection refused

real    0m0.012s
user    0m0.008s
sys     0m0.000s
fabian@superman:~ $

root@freebsd9:~ # ipfw show | head -1
00003  2 120 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

fabian@superman:~ $ time ssh -6 freebsd9
ssh: connect to host freebsd9.wenks.ch port 22: Host is down

real    0m25.212s
user    0m0.009s
sys     0m0.001s
fabian@superman:~ $

root@freebsd9:~ # ipfw show | head -1
00003 12 872 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #


I also tried some other rules, which would be use cases for my 
setup with fail2ban, but not all of them work:

freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in
ipfw: bad address "table(6)"
root@freebsd9:~ #

root@freebsd9:~ # ipfw add 5 deny ip4 from table\(4\) to me 22 in
00005 deny ip4 from table(4) to me dst-port 22 in
root@freebsd9:~ #

Ok, the next one probably does not have a real use case, I was 
just testing:

freebsd9:~ # ipfw add 6 deny ip4 from table\(46\) to me 22 in
00006 deny ip4 from table(46) to me dst-port 22 in
root@freebsd9:~ #


To help collect the information regarding IPv6 support in ipfw 
tables, what other rules should I test? Or is this already enough 
information for any FreeBSD IPFW developer to be able to locate 
and probably fix this issues?

I guess it is probably better to first collect some more 
information regarding IPv6 and tables here on the list and then 
create a corresponding PR later on for it.


bye
Fabian